Re: Invalid HTTP2 preface handling?

On 11 February 2015 at 17:08, Willy Tarreau <> wrote:

> Hi Greg,
> On Wed, Feb 11, 2015 at 03:15:38PM +1100, Greg Wilkins wrote:
> > Anyway, I've got my answer.  There is no specific threat, just a
> preference
> > to not allow such a simple upgrade/downgrade for the sake of prudence.
>   I
> > can accept that and while I'm still considering supporting a preface
> based
> > version switch, it will be a use-at-own-risk private feature.
> In fact, we all want to be strict on this in order to ensure that no lazy
> implementer would notice it works well without the preface and decides not
> to emit it. That's where the trouble could start.


definitely not proposing to allow HTTP2 without the prefix.   I'm saying
that if you want HTTP2, then you must follow the standard exactly -
including the preface.

However, if a HTTP/21 client does connect to a HTTP/2 server, the server
will be able to detect this by the lack of preface.  Standard calls for
that to be a connection failure and I agree that is the prudent action for
the specification to require.     However, I have a use case for which I am
considering a non standard extension that would allow the HTTP/1 connection
to proceed (on the shaky ground as PHK says) and I just wanted to know if
there was a specific threat that would expose, or just a general
would-be-better-if-we-didn't-risk-it type of thing.


Greg Wilkins <>  @  Webtide - *an Intalio subsidiary* HTTP, SPDY, Websocket server and client that scales  advice and support for jetty and cometd.

Received on Thursday, 12 February 2015 00:04:23 UTC